I just need to know the reasons of high LDAP query in dc
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
High LDAP queries can really come from anywhere in your environment. The both approach would be to install wireshark on your domain controller/s and filter on LDAP and see what machines are generating the most traffic. Once you have determined this check the applicaiton server and see if there is anything wrong with server/applicaiton.


pramod1Author Commented:
I have been already given 3 to 4 dc servers given by my IT Group .
Will SzymkowskiSenior Solution ArchitectCommented:
Ok that is fine. To see the top talkers that are usins LDAP you need to install wireshark on them and then run the program filtering on LDAP protocol and see what the top talkers are.

Once you have that information you then go to the server and investigate why it is creating all fo the requires.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

AmitIT ArchitectCommented:
Can you tell me the handle counts for LSASS.exe process.
pramod1Author Commented:
how do I do that amit?
pramod1Author Commented:
count for lsass.exe -1,450,612k
pramod1Author Commented:

can you help
AmitIT ArchitectCommented:
That's very high. 50K is maximum recommended for Lsass.exe process. Is this the only DC you have this issue. As troubleshooting this issue is not that easy.

You can start from here.

This is what you need to do for this issue:
Update NIC drivers
Check the NIC drivers on the DC and update them.
Install updates for LDAP query optimizer and AD performance event logging
The first update (KB 2862304) improves performance in the LDAP query optimizer (reduces LDAP search time allowing DCs to service more clients)
The second update (KB 2800945) adds additional event details for event ID 1644 which is used when troubleshooting AD Performance related issues.
Request and install hotfix from this site: 
Enable 1644 event logging
This enables event ID 1644 to be logged in the Directory Services event log for any LDAP query that takes longer the 50ms (hex 32) to return.  Pertinent details are logged in the event that enable to identify clients along with LDAP query used that may be overloading the DC.
Set the following registry values after, KB 2800945 is installed:
"15 Field Engineering"=dword:5
"Search Time Threshold (msecs)"=dword:00000032
Increase the size of the Directory Services event log
The default size of the DS event log is 1 MB.  Increase to 20 MB or more.  After increasing the size and 1644 event logging:  Review the timestamps for the start and end events at peak usage to determine approximate amount of history retained with your current settings.  Ensure you have a strategy in place to save off the event log so you don't lose any historical data.
Add LSA logging registry keys to DC (later on add to known offenders)
Log file location: %windir%\Debug\lsp.log
Enable Netlogon debug logging on both DCs
This enable verbose debug logging for Netlogon.  
Log file location: %windir%\Debug\Netlogon.log and Netlogon.bak
From a command prompt, run:
Nltest /dbflag:2080ffff
Ensure this DC is setup for full memory dump 
    AutoReboot    REG_DWORD    0x1
    CrashDumpEnabled    REG_DWORD    0x2
    Overwrite    REG_DWORD    0x1
    LogEvent    REG_DWORD    0x1
    MinidumpsCount    REG_DWORD    0x32
    DumpFile    REG_EXPAND_SZ    %SystemRoot%\MEMORY.DMP
    MinidumpDir    REG_EXPAND_SZ    %SystemRoot%\Minidump
1)  On the Desktop, Right-Click "My Computer" and select "Properties".  
2)  Go to the Advanced TAB and Click the "Startup and Recovery" button
3)  Under the "Write Debugging Information" section select:
    "Complete Memory Dump" from the pull down menu
      CrashDumpEnabled = 1 (REG_DWORD)
      NMICrashDump = 1 (REG_DWORD)
4)   Make sure a check mark is placed on:
      "Overwrite any existing file"
5)   Make sure that there is a paging file (pagefile.sys) on the
      System Drive and that it is at least 17000, (Initial and Maximum Size).
6)   Make sure there is more free space on the hard drive than there is physical RAM.
Second, enable the CrashOnCtrlScroll registry value to allow the system to generate a dump via the Keyboard:
7)   Start Registry Editor (Regedt32.exe).  
8)   Locate the following key in the registry:  
9)  On the Edit menu, click Add Value, and then add the following registry value:
            Value Name: CrashOnCtrlScroll  
            Data Type: REG_DWORD  
            Value: 1  
10) Quit Registry Editor.
11) Restart the computer.  
Download any tools needed for data collection

You also need to install;
KB 2775511, 2878378, 2728738, 2732673

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pramod1Author Commented:
actually LDAP query is reported not on DC but on exchange relay server, so should I run the command

on relay server or on any DC
AmitIT ArchitectCommented:
Can you share the screen. I want to see.
pramod1Author Commented:
how should I share
pramod1Author Commented:
you can take control but how should I share
AmitIT ArchitectCommented:
Take the screenshot and attach here as jpg file
AmitIT ArchitectCommented:
I don't see anything abnormal with the screenshot. Resources are normal. svchost.exe has lot of process tied in. You need to check which PID is currently using it.

pramod1Author Commented:
but since the report was given few days back can it be possible there is no high ldap query on same server  anymore.

AmitIT ArchitectCommented:
Possible, high ldap query is normal on Exchange server.
pramod1Author Commented:
can you give some reason of high ldap query on exchange relay server.

one you pointed lsass.exe being high, disk usage, cpu usage

any other factor as I need to close this.

the methods you mentioned is to be performed on DC or the affected server
Seth SimmonsSr. Systems AdministratorCommented:
exchange uses ldap queries constantly to determine the location of mailboxes
unless your domain controller is really in bad shape, i wouldn't be concerned with the high ldap queries
exchange will first use any domain controllers in the same AD site
agree with amit; no real concern here
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.